Ask Slashdot: Why Not Linux For Security? 627
An anonymous reader writes "In Friday's story about IBM's ban on Cloud storage there was much agreement, such as: 'My company deals with financial services. We are not allowed to access Dropbox either.' So why isn't Linux the first choice for all financial services? I don't know any lawyers, financial advisers, banks, etc., that don't use Windows. I switched to Linux in 2005 — I'm well aware that it's not perfect. But the compromises have been so trivial compared to the complete relief from dealing with Windows security failings. Even if we set aside responsibility and liability, business already do spend a lot of money and time on trying to secure Windows, and cleaning up after it. Linux/Unix should already be a first choice for the business world, yet it's barely even known of. It doesn't make sense. Please discuss; this could use some real insight. And let's at least try to make the flames +5 funny."
Wonderful Support... (Score:5, Insightful)
The thing people like a lot of the times is that microsoft offers support, they have it stuck in their head that if you spend money on it, it must be better than a free alternative. Pretty simple really but that's human nature in this day and age, we are programed for it from commercials on tv to radio to Target and Walmart.
been done before (Score:5, Insightful)
This has been discussed ad nauseum here over the last decade.
One big reason why things are the way they are, is that corporate types want somebody to blame when things go pear-shaped. There's not many linux companies of enough size to handle that. Just RedHat and SuSe.
Another reason is yes, the apps. The simply *must* have MS Access and integration with the whole Office suite. Anything that doesn't have this is likely a non-starter.
Must we ...? (Score:2, Insightful)
Must we really re-hash windows vs linux? Must we?
Fear of Backdoors? (Score:5, Insightful)
If I were a too busy to be bothered executive, my high level opinion of the hobbyist operating system would be that it's bound to be full of backdoors put in by the coders. What's worse, is when those backdoors cause my golden parachute producing institution serious financial harm, there's nobody to sue. At least if Microsoft were to do something dastardly, there's a few billion in assets to get the lawyers worked up over.
Re:Fine, I'll bite (Score:3, Insightful)
Additionally, Linux distribution security generally isn't much better than modern Windows. Even small to medium packages tend to pull in everything but the kitchen sink. Of course, if you stick to packages in Linux, you at least have only one update mechanism.
Few reasons (Score:5, Insightful)
1) Trying to run away from good security practice by going to something you perceive to be less targeted or better able to save you from yourself isn't a good idea. Hate to break it to you but really Windows itself is pretty good security wise these days. If you are having trouble the question to be asking yourself is what is wrong with the way things are set up. To me it is like having your house robbed and moving to a new neighbourhood, rather than locking your door at night. We run a mixed environment at work, and we don't have many Windows security issues, despite it being our big OS. Reason is we have a good security setup that provides defense in depth. We have real proactive security, not ostrich security.
2) Because often the products businesses need aren't available for Linux. People will point to half-assed alternatives because said half-assed alternatives are the best they can find. "Just write your own," is completely unfeasible to many companies, and uneconomical to others. If you'd save $X in terms of security issues and licensing but spend $X*10 to develop and support your software that does what you need, it isn't a good move.
3) Because Linux doesn't always, maybe even not usually, have a lower TCO. In our environment it requires a hell of a lot more fiddling than Windows to make it work. Our Linux lead spends a lot of time hacking around with things to make them work right, and dealing with customized setups (which we do a lot of being a research university) is a pain. I spend way less time fiddling to make Windows work, and not because I'm smarter to better than him. He's damn good. It just seems to be more trouble to get Linux to do what we need, the enterprise support tools aren't as robust.
Remember that security is only one facet of cost, and also remember Linux doesn't provide perfect security. You can argue if it is better or not, though many of the better arguments are just arguments of less targeting. Things like malware that the user has to download and run, an OS can provide no defense against that short of trusted computing or the like.
So you have to look at what it would cost and save in total.
Also as I said, really security talk needs to be about defense in depth and how to prevent problems, not about trying to run away from them. Security failures WILL happen, anyone who's done physical security know there's no such thing as a perfect defense, everything is fallible, and you have to have layers and you have to monitor and adapt to maintain good security.
I would rank a place high security that runs Windows but does things like: Have regular users run deprivileged and not hand out admin accounts. Have a good, but sensible password policy and use two factor authentication. Have all systems patched regularly and quickly and monitored. Run a host based firewall on all systems. Run an on access and on download virus scanner on all systems, centrally monitored. Run a network based firewall and IDS, maybe even more than one. Segments servers from workstations and only allows the access needed. Proactively monitors for problems. And so on.
I would rank a place low security if they just run Linux, give local users sudo, and say "Have fun, Linux is safe!"
Linux could potentially help with security, that would need to be evaluated by someone competent case-by-case. Linux does not give good security, it is layers and a process, not a magic bullet.
Re:Windows = Easy + User Friendly (Score:5, Insightful)
... but it really isn't! If you can manage to find someone with zero experience, Windows does not magically make sense to them.
Your premise is wrong. (Score:5, Insightful)
Unix is actually very popular where security is a concern. Most of the internet runs on some variety of Unix.
Same in business.
But the reasons it's not even more widespread are:
a) Management and HR are clueless, and so they implement the wrong policies and hire the wrong people.
b) Microsoft spends a lot of money on getting people hooked on their technologies, including getting most universities to teach their crap, so many sysadmins are clueless regarding anything outside Microsoft.
c) CTOs get bribed. Those bribes determine what technology they buy. The FSF doesn't have much money to waste on bribes, but many corporations do.
...Cuz Windows... (Score:5, Insightful)
Re:security is a system, not in a product (Score:2, Insightful)
Why would anyone buy firewalls when we have iptables and as far traffic monitoring, why pay for some custom Snort frontend? Actually that goes for iptables too. I haven't boought a router, firewall, traffic monitor, shaper or spam appliance in well over a decade.
Re:Windows = Easy + User Friendly (Score:5, Insightful)
No, windows is not user friendly. It's actually very user antagonistic. It is, however, corporate (particularly *AA) friendly.
Rather than not being user friendly, Linux's problem is it is too user friendly: it's easy to get lost in the choices.
Most windows users want their hand held. Corporations want to use handcuffs. Windows provides the handcuffs.
Re:Office (Score:3, Insightful)
I work in financial services and we are addicted to Microsoft Excel.
I get "relational data" in Excel spreadsheet form from outside vendors all of the time. I can't even get them to send me the data in a flat text file so Excel won't chop off the leading (and necessary) zeros.
It is what everybody knows.Not the way it should be, but that's life.
Re:Fine, I'll bite (Score:3, Insightful)
Even small to medium packages tend to pull in everything but the kitchen sink.
Well, if you're going to install something that requires KDE and you don't have KDE installed, be prepared to wind up installing KDE. But then if you are suddenly surprised that you are downloading KDE, it's *your* fault for not looking at the depends in the first place. It's not like this stuff is hidden away.
There *is* a problem with "Recommend" abuse. But then you can just turn off "treat recs as depends" and be done with it.
The system tells you exactly what's going on unless you're using that gawd-awful Ubuntu software center, but then Software Center is a reaction to the windroids that insist they not be told anything about what's going on, because it's "too complicated."
Linux distribution security generally isn't much better than modern Windows.
I dunno about you, but the amount of effort I personally go through keeping a Linux system secure is minuscule compared to having to keep up with Windows security. While this is a sampling of one, I believe my experience is typical.
--
BMO
Re:Because linux is secure (Score:2, Insightful)
One word: OpenBSD. It is more secure. You can debate the reasons all day long. But the fact of the matter is, even an OpenBSD box running SSH, SMTP, and HTTP services isn't going to get hacked. Forget remote root exploits. Let's talk about local root exploits, which are found regularly on Linux and Windows. OpenBSD? The most recent local root exploit, circa 2009, didn't work on the then current--or prior--release. Thus it was tagged--arguably improperly---as a reliability fix.
So it's not that bugs aren't found in OpenBSD. It's that their "proactive security" mantra has substance to it. The developers see where the state-of-the-art hacking techniques are going, and cut them off at the pass with counter measures. Contrast this with Linux or Windows, where they react after the fact; and after countless people have been p0wned.
Linux and Windows code is chock full of amazing algorithms and sophisticated hacks. OpenBSD code tends to be extremely dumbed down. If you're concerned with security, you want the dumb code. The more sophisticated the code, the harder it is to debug. The old adage that anyone who codes to the best of their ability is by definition incapable of debugging that code rings true.
Re:Fine, I'll bite (Score:5, Insightful)
The biggest advantage to Linux security is that it is far far easier to tell what is running, why it's running, and how it is configured, not to mention what ports are open and by whom.
Yes, in the hands of a newb user, both Linux and Windows can be insecure. That said, the training needed to lock down a Linux system is much more accessible and implementable. To properly lock down a Windows box you either need expensive third party tools or a Doctorate in "Making Microsoft do what I say despite what it wants".
Re:been done before (Score:4, Insightful)
Hmm, well then they better not have too close a look at any of MS or Apple's EULAs. They're all "no indemnification" and all that. Good luck suing MS or Apple, or even getting a response unless you already paid out the ass for a support contract.
The simple fact of the matter is that when it comes to big companies and technology, the ones making the "corporate" decisions are blithering idiots. Think about it: where are the smartest people you know working? Either they are actually getting (fun) shit done (eg, engineers solving problems), or they are in charge of their own startups (and how many startups go with MS?). Also, as someone else mentioned, there are some other large factors known as "mindshare" (why do you think MS gives deep discounts to college students) and bribes. If there were any justice in this world, MS would have gone out of business ten years ago due to everyone seeing through their BS. The depressing reality is that PT Barnum was right (and even that is a good example of mass ignorance: Barnum didn't say that, his opponent Hull did).
Re:Fine, I'll bite (Score:5, Insightful)
If many businesses switched to *nix on the destop it would become more popular and more malware would be written for it.
There's no evidence for that at all, in fact, there are now close to a million Android devices activated per day, more than there are Windows licenses sold. Despite that, Windows malware outnumbers Android malware by a couple of orders of magnitude.
And despite all the hype, the rate of increase of Android malware is low, again much lower than .NET malware.
Re:Fine, I'll bite (Score:4, Insightful)
The biggest advantage to Linux security is that it is far far easier to tell what is running, why it's running, and how it is configured, not to mention what ports are open and by whom.
Yes, in the hands of a newb user, both Linux and Windows can be insecure. That said, the training needed to lock down a Linux system is much more accessible and implementable. To properly lock down a Windows box you either need expensive third party tools or a Doctorate in "Making Microsoft do what I say despite what it wants".
This is one thing I love about Linux and *nix in general. If something goes wrong, it happened for a reason. It is not a random event. That means I can actually find out not just what failed, but *why* it failed. When I fix it, it stays fixed.
It's more like the deterministic behavior one would expect from a machine.
Re:Fine, I'll bite (Score:5, Insightful)
Why is everyone so arrogant about linux? (Score:4, Insightful)
I can give you four good reasons.
1) Excel. Sorry Libreoffice can't compare to someone who has 15 years of experience ( and a masters in finance/ econ/ 10 years of experience at company) making pivot tables and doesn't wish to learn another way of doing things. It's nice when you have a 10 year old formula in excel and can boot up office 2k and it works. Keep in mind a fair share of companies are still on office 2k, for better or worse. You can sit there in your chair and say "well, upgrade", but for a 40 seat license, it can cost 3500 usd, and many companies refuse to pay for it, especially when Office 2k is "good enough".
2) Active directory. Yes, you can control file access via samba. Yes, you can have user control via (one of many) means, but active directory is not (too) difficult, and any 1st year admin should be able to set up simple file access.
3) Standard installs. If I go to CompUSA, Wal-Mart, Best Buy or Target, I can buy a computer or laptop with Windows. Windows is the de facto standard because (for better or worse) that is what is able to be bought at the retail level. I would wager 95% of all computer available through retail channels has windows preinstalled.
4) Support. Microsoft is a Global 100 company. As they used to say 20 years ago... Nobody gets fired for buying IBM. If everyone else is purchasing office, and by default windows, then any issues that you encounter are the same issues that your competitors have. That (in it's own way) levels the playing field. We can all sit here and talk about how great Ernie Ball is for standardizing on Linux, but that is less than 1% of the marketplace. If I have an issue, I have a number to call, and the support I get is from a company that I can pay to get support from that everyone has heard of. Everyone hasn't heard of canonical. Hell, a lot of people have never heard of SAP or Oracle.
Re:Wonderful Support... (Score:5, Insightful)
I've worked for several Fortune 500 companies. Support has nothing to do with the decision: Exclusionary contracts do. Microsoft offers huge discounts to businesses that agree not to use a competitor's product. They also regularily check for compliance and there are large fines for any company caught using open source software.
I have been an employee/contractor at many Fortune 500 companies, and have never seen anything even hinting at a contract with Microsoft involving "large fines for any company caught using open source software". Care to provide any proof of Microsoft contract with any F500 consumer of software that prohibits said F500 from running open source software?
Can of worm !! (Score:5, Insightful)
If what you said is true, that corporations signing "exclusionary contracts" with Microsoft getting huge discounts, in exchange for letting Microsoft to come into their daily IT operation to do spot checks for any so-called "violation", that will be a can of worm right there !!
No corporation, and I mean, no self-respecting corporation, whether or not they are in the Fortune list, should allow any outsider to intrude into their internal operation in carrying out spot checks !!
Whoever signed those type of contract with Microsoft, and all their superiors, must bear full responsibility in any loses, whether in financial or in trade secret, incurred during those "spot checks"
Re:Fine, I'll bite (Score:5, Insightful)
Do a lot of on-line banking on your Android phone, do you? Or have a nice, high bandwidth connection you could saturate to support a DDoS attack on someone who didn't pay their protection money? Or store any juicy company data that could be handy for not-quite-insider trading?
There have been security vulnerabilities found in just about every major piece of networking/server software on Linux. There is no doubt about this, because most of those packages are open source, and the fixes are a matter of public record. If there was money in writing Linux malware, there have been plenty of weaknesses to exploit, just like on Windows (or any other major platform).
But serious malware today isn't written by script kiddies any more. It's essentially organised crime, and it follows the money. If you think that wouldn't lead it right to Linux if that became the dominant desktop OS, or that being primarily open source makes the Linux ecosystem magically immune to the kinds of security bugs that make it into code written by highly skilled and experienced professionals working for the best funded software companies in the world, then I've got a few friends in Nigeria who would like your help with some financial transactions.
Re:Wonderful Support... (Score:1, Insightful)
Kill parent. What a big fat bold faced lie! I have worked for very high profile, literally (genuinely) life-and-death (heart attacks, drownings, fire, shootings, stabbings, etc.). And critical components of microsoft systems are broken (when I say critical, I mean things a lawyer would subpoena the company for) but are broken, and microsofts only answer is 'use a 3rd party application'. FUCK! With Free Software, I can hire *ANY* of the competing service providers (IBM offers support for Linux, so does HP, RedHat, and thousands of others). Yes, you have to pay, just like you have to pay for microsoft service. If you try and lie and claim otherwise, I will remind you of the microsoft license "This software is licensed, not sold. It includes no warranty or liability, not even merchanability or fitness for any purpose". You have no warranty with Linux, you know, just like microsoft. The one thing you get with Linux for sure is access to all the source code. You can hire any mechanic to look at it. With microsoft, you get binary only. This is exactly like buying a car with the hood welded shut: If it breaks, buy a new one. With Linux, and free software, you also get... Free Market. With microsoft, you are stuck with them. Unhappy with microsoft service? SUCK IT UP! They can refuse service at any time they like.
Re:Fine, I'll bite (Score:4, Insightful)
Linux is at its lowest point in a very long time in terms of look-and-feel, polish, and usability in comparison to its commercial competitors. A lot of Linux users don't care about such things, and that's why desktop Linux never took off. ... Meanwhile Win7 is polished and works well.
While I'd agree with that regarding GNOME 3 and Unity, I don't think that applies to all Linux desktop environments -- it's very easy in KDE 4 to pick and use a theme that very closely mimics Win7 or OS X, just with more customization options if you want them. KDE 4's main visual failing point IMHO is that there's a severe lack of diversity in the themes compared to GNOME 2 or KDE 3, as nearly everything looks to some degree like a variant of Windows or OS X.
The main reason I see Linux forever failing to capture the desktop market is that the application & environment/theme developers, being unpaid, have zero incentive to care what the users want. The result is desktop environments & applications that may suit the devs perfectly well, but from many users' points of view are clunky, missing features, or bloated with features they'll never use. It's the devs' right, of course, but that doesn't keep the end-result from being that Linux can't manage to gain a respectable percentage of desktop marketshare.
Re:Office (Score:2, Insightful)
In what world does "software runs on Linux" mean "GPL" or even "LGPL"?
Some of the largest and most-expensive softwares run on Linux; e.g. everything Oracle makes/sells.
Google "commercial software on linux"
Re:Wonderful Support... (Score:4, Insightful)
2) 90% of banking software on the front-end (tellers, etc) is accessed via a web browser. 90% of the backend stuff is already java or linux powered.
3) When you buy 1000 machines for a large business, you get a few for testing ahead of time no matter WHAT operating system you plan to run.
4) When a large business buys computers, they don't come with windows licenses. They buy blank machines and get a site license.
Re:been done before (Score:4, Insightful)
corporate types want somebody to blame when things go pear-shaped. There's not many linux companies of enough size to handle that. Just RedHat and SuSe.
The irony here is that you complain there are just two Linux vendors that are big enough to provide such support.
While there is just one Windows vendor.
Re:Wonderful Support... (Score:3, Insightful)
I've worked for several Fortune 500 companies. Support has nothing to do with the decision: Exclusionary contracts do. Microsoft offers huge discounts to businesses that agree not to use a competitor's product. They also regularily check for compliance and there are large fines for any company caught using open source software.
I have been an employee/contractor at many Fortune 500 companies, and have never seen anything even hinting at a contract with Microsoft involving "large fines for any company caught using open source software". Care to provide any proof of Microsoft contract with any F500 consumer of software that prohibits said F500 from running open source software?
YHBT YHL HAND.
Seriously though, the poster you're responding to is full of shit. I've been in IT for 25 years and have worked with everything from SMB's to Fortune 10's and have never seen any such thing.
It would be nice if people could state their opinions without resorting to lies and trolling.